This project is to integrate Cohesity Helios with Cisco SecureX and manage Cohesity Ransomware alerts on SecureX and take appropriate actions using Threat Response.
This integration leverages Cohesity REST API to interact and fetch information from the Cohesity Helios and perform actions based on alerts raised.
- What is Cisco SecureX
- Getting Started
- Supported Atomic Actions you can take
- Supported Workflows you can perform
- Minimum Permission for Helios User to generate Helios API KEY
- Suggestions and Feedback
- Supported Objects
SecureX is a cloud-native, built-in platform that connects Cisco Secure portfolio and your infrastructure. It allows you to radically reduce dwell time and human-powered tasks. Refer to Cisco SecureX page to know more about it.
In order to start using the Cohesity SecureX Integration, you need to do the following.
-
Import the Atomics and Workflow using this Git Repo in SecureX. While importing Workflows, it will automatically create a global variable for Helios API Key. Enter the Helios API Key there and you can then start using the Workflows
-
Once you have imported all the Workflows and Atomics. Next step is to run the workflows. Check the Workflow section to find all required pre-reqs to run these workflow.
Note that you will need to import Atomics and then Workflows since the Workflows depend on the Atomics.
To know more about importing and exporting your Workflows and Atomic Actions refer to this video.
Atomic actions are self-contained workflows that are similar to a function in traditional programming. They can consume input, perform various actions, and then return output. They’re designed to be portable, re-usable, and make building workflows more efficient. Refer to the Atomic Actions documentation to find more.
Lets go over the list of Atomic Actions that this integration supports.
- Cohesity Helios - Get Anomalous Objects
- Cohesity Helios - Ignore Anomaly
- Cohesity Helios - Resolve Anomalous VM
- Cohesity Helios - Restore Anomalous VM
- Cohesity Threat Response - Create SecureX Incidents
- Cohesity Threat Response - Create SecureX Sightings
- Cohesity Threat Response - Create SecureX Relationship
- Cohesity Threat Response - Resolve SecureX Incident/Sighting
- Cohesity Threat Response - Delete SecureX Incident/Sighting/Relationship
- Cohesity Threat Response - Get SecureX Incident/Sighting/Relationship
Workflows are the larger component of orchestration and are similar to a script in traditional programming. A workflow can be simple and only have a few actions or be complex and string together many different actions for different products. Refer to the Workflows documentation to find more.
Lets go over the list of Workflows that this integration supports.
- Helios Ransomware Alerts to Threat Response and ServiceNow
- Ignore Anomaly on Cohesity Helios
- Cohesity Restore Anomalous Object
To explore the various options available in SecureX orchestration for importing and exporting your Workflows and Atomic Actions refer to this video.
In order to run the workflow on SecureX, you need to pass Helios APIKey. The user that creates this APIKey must have the following privileges.
-
Viewer Role: This role is needed for the user to be able to login to Cohesity Helios and create the APIKey.
-
Manage Protection Groups and Manage Recovery: This role is needed to get a clean snapshot and recover the VM to the latest known safe state.
To know more about Cohesity Roles, please visit Cohesity Product Documentation.
For this release of the Integration, only Anomalous VMs are supported as Objects. More Objects from Cohesity Helios will be supported in the future. Please reach out to use for more info.
We would love to hear from you. Please send your suggestions and feedback to: cohesity-api-sdks@cohesity.com
Apache 2.0